Slashdot Mirror
Chertoff Advocates Cyber Cold War
Jack Spine writes "The US and allied countries should formulate a doctrine to apply the principles of nuclear deterrence to cyber attacks and cyber espionage, according to former US Homeland Security secretary Michael Chertoff. No matter that it's very difficult to attribute the source of cyber attacks — just take punitive action against the platform being used to attack, says Chertoff."
Don't you just love people who try too hard to justify their jobs?
Then maybe they'll start using nuclear silo systems to attack other of our interests. Two birds with one stone eh?
Two of my imaginary friends reproduced once
...nation states should be able to act against technologies in countries being used as a platform for attack...
So, nuke Redmond?
So long as they don't respond to a DDoS with one of their own, but with a targeted attack designed to silence the particular nodes in question, then it's probably a good thing. It's not like it's not possible to keep logs to see if these guys are operating outside their mandate.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Soon even the smallest of countries can wield the destructive force of a superpower: Just make it look like your opponent attacked the USA and the USA will do your dirty work.
This is all incredibly stupid. First off, we should never have a "cyber cold war" because we shouldn't put our fucking important infrastructure on the internet! If it could harm human lives if it goes down and there isn't a non-networked backup that can be used at a millisecond's notice, it shouldn't be on the internet.
If you've spent 2.3 billion to construct another power plant and you are too lazy to actually staff it, something tells me an extra $150,000 to run dedicated lines from it to your main office is just a drop in the bucket.
If we can lay a direct telephone line between Washington DC and Moscow to prevent a nuclear war, something tells me we can afford to lay some cable 10 miles to prevent some "cyber cold war"
Taxation is legalized theft, no more, no less.
Just like we took punitive action against Logan Airport and United Airlines for 9/11? Oh, right.
When "our adversary" uses the likes of Google or Akamai or British Telecom against us in a cyberattack, we're going to return fire on those platforms?
Hey, I'm putting a scheme together about the RIAA...
[
I say that anyone who's system is being used for DDoS attacks can't complain about such treatment. They should have secured their systems.
Blar.
"Cyber" is the vague sort of word that Government Management uses in an attempt to sound technologically astute. As soon as you hear a phrase such as "cyber war", you know you are dealing with a management automaton paddling beyond its depth.
It's interesting to note that this term is a back-formation made from "cybernetics":
"From Greek kubernts, governor, from kubernn, to govern."
Makes it sound as though this is another war that being invented by the government to spend the people's money to take the people's freedom away.
Rich And Stupid is not so bad as Working For Rich And Stupid.
Maybe we should all take our shoes off for inspection before we get online. Or make us wait in an unguarded corral area for half an hour before we can enter the secured area. Or randomly pull users aside for full system scans. Or force users to their own drink breast milk before logging in.
I sure as hell don't want them "attacking" computers online.
jack spine writes; the US and allied countries should....
jack spine should realize he is NOTHING
Anyone can fake the origin of a attack, so the basic rule about this is: never attack the attackers. If you do this, you can be used as a means to attack others!.. like your cpu power be used as part of a DDoS against a third party.
Internet just don't work like that.
-Woof woof woof!
Seems to me these people still do not understand the threat. This is not warfare. It is vandalism, petty theft, corporate espionage and maybe some extortion. You cannot fight crime of this sort with a cold-war strategy. Several reasons:
This strikes me as basically an over-aggressive, "bully"-type strategy by people that like to employ violence, but are not very bright. It is doomed to fail from the onset. The situation is a bit similar to the "war on terror", but more like a "war on (petty) Internet crime". Fighting crime with military means has never worked and will never work. The way to fight crime is by I) better securing your property (but especially the government and military seems to be hugely incompetent in that area) and II) standard police work. The added complication is that this is an international problem, something the US is notoriously bad at tackling, since they do not understand the rest of the world at all. But bombing shoplifters is not something that is going to work, ever, and even not very bright people should be able to understand that.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I'm just thankful that our DHS chief is so self-confident he feels comfortable publicising his ignorance/incompetence at his position. Yes: let's use economic sanctions/diplomatic saber rattling against random third world countries based on the originating IP address of whatever botnet is currently being used to pester our computer networks. THAT won't be abused. I'm sure China won't start concentrating their DDoS attacks exclusively from infected terminals with a Tibet IP block.
Deterrent through force of arms never worked.
That was the solution to the balance of power pre-WW1 if anyone remembers a bit of history. We all saw how that ended up.
Meh, basing the entire future of the internet on "Go on, do it, I dare you" will not end well for anyone. I can already see an RIAA/MPAA sponsored 'attack' taking down most of the internet (and them meddlin` filesharers!) for a few weeks.
the monkeys indicated that any relatives of theirs would never behave (inhumanely) the way that we (?humans?) do.
against us.
The newest terrorist tactic will be to simply compromise one system at a sensitive US installation and use it to attack DHS. It saves a step. Before this, you'd not only have to get access to the device, but you'd also have to know how to break it. Now step 2 is automated. You can also escalate the attack. If you have only unpriveledged access, but can send outgoing packets, you can now take it out.
While I'm sympathetic to Chertoff's views, the problem remains that the tools he suggests are both too blunt for the purpose and may actually reveal important, low risk information for the adversary. As the title suggests, the US has a many decades history, since the Second World War, of using progressively more selected and targeted means of killing people. There are two reasons for this. A more focused weapon inflicts more damage on the intended recipients and less damage on third parties. However, to be used effectively, you need to have intelligence on your foes and sufficient control of the weapon so that it hits what you want it to hit.
For example, in the absence of any intelligence, other than that "bad guy" insurgents are hiding in a certain city, then a nuclear bomb would be more effective than a smart bomb for causing harm to the enemy. The drawbacks of such a brutal and lazy strategy are pretty obvious, from huge loss of innocent life to the possibility that most of the bad guys survive the nuclear attack (maybe they're in a bunker or spread out so that a nuclear burst takes out only a few at a time). A smart bomb would be useless, a bad guy is more likely to die from traffic accidents.
OTOH, intelligence on where exactly the "bad guys" are leads to the smart bomb being much more effective. A smart bomb delivered right to the basement is more effective than a nuclear bomb blindly lofted a dozen miles away.
That sums up what I see as the first problem with Chertoff's proposals. Since the force is not focused nor based on decent intelligence, it doesn't harm the foe and harms innocents instead.
Second, unfocused harm has the tendency to warn the enemy that you know something before you get a chance to significant damage to them. A worst case here would be a rigid retaliation procedure that a foe could use to map out the sensitivity of your defenses and deliberately trigger unpopular retaliation attacks on innocent targets.
As it stands, there apparently is a large scale, systematic looting of US (and developed world) knowledge by unknown parties (often thought to be the Chinese government or Russian underworld). There should be a price paid for trying to steal millions or billions of dollars of information. I think that Chertoff's suggested approach is a losing strategy that doesn't help the US mitigate the loss from such activities.
Although wannabe gangsta advice from career pencil pushers usually end up getting you beat up much like they themselves were back in highschool.
Anyone with the name "shirt off" doesn't need to be commenting on the use of the internet.
No sig for you. YOU GET NO SIG!
Nuclear deterrence actually makes sense in the world of war where there is no physical possibility of being 100% certain to prevent an enemy from entering a state armed to the teeth, or sending in a nuke of their own. However, the internet has very few clear access points for any given institution. You're air-traffic control tower is suffering a cyber attack? Pull the plug on the router. The air-traffic control tower is suffering repeated cyber attacks? Time to fire your IT staff because they are idiots who don't know how to properly secure / segregate critical control infrastructure.
The person in the TFA goes on some random blabbering about "attacks on infrastructure" and "thousands at risk", proposes "cold-war, nuclear deterrence"-like strategy, then contradicts itself by saying "then ... incapacitating the platform used to attack is something that you have to do", then goes again to talk about "overwhelming force" and what not.
There's no logic in that, and, if anything, it is the opposite of MAD, the dominating war strategy of the Cold war.
The premises of MAD were clear -- a few powers with nukes, nuclear attack's originator cannot be hidden, each party has enough nukes to flatten the other even if it is hit first. These obviously don't hold for the kind of threats TFA is discussing.
Also, MAD didn't work quite well, if at all, and it became ill and died a quiet death in the late 80s.
Ironically, precisely the perceived ability to "incapacitate the platform of attack" is what killed it, because, as ballistic missile accuracy rose, the military went into fantasies a "surgical" strike combined with a "shield" platform to take out the MAD capability.
The death of MAD became obvious and official in the nineties - US gave up first, Russia following, as it became clear that nuclear proliferation is very likely unstoppable, and that MAD doesn't work very well against rogue states and terrorists. Currently both the Russian and the US military doctrines envision tactical nuke usage scenarios.
Trying to resurrect this rhetoric against a class of threats that doesn't resemble the premises of the original MAD doctrine at all is only hype, marketing and justification for subsequent funding requests.
It will work just as well as the effort for closing the mineshaft gap did.
I'm all for cyber espionage, especially if the data is leaked all over. Perhaps people would figure out how manipulated they are.
Build your own energy sources from scratch. http://otherpower.com/
Wow. Is this the timecube guy?
but then ends up using it against 'us'.
Terrorism charges are common for all sorts of reasons. RICO, ditto. The military is being moved to deal with problems inside the US. ...
Our gov has far too much power, which is the reason everything is going to shit.
Not only is it doomed to fail, it is ironic, too: http://www.pdfernhout.net/recognizing-irony-is-a-key-to-transcending-militarism.html
As I wrote on that page: "There is a fundamental mismatch between 21st century reality and 20th century security thinking. Those "security" agencies are using those tools of abundance, cooperation, and sharing mainly from a mindset of scarcity, competition, and secrecy. Given the power of 21st century technology as an amplifier (including as weapons of mass destruction), a scarcity-based approach to using such technology ultimately is just making us all insecure. Such powerful technologies of abundance, designed, organized, and used from a mindset of scarcity could well ironically doom us all whether through military robots, nukes, plagues, propaganda, or whatever else... Or alternatively, as Bucky Fuller and others have suggested, we could use such technologies to build a world that is abundant and secure for all. So, while in the past, we had "nothing to fear but fear itself", the thing to fear these days is ironcially ... irony. :-) "
A 21st century issue: the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.
... like attacking free speech when people say things you don't like, or blaming socialism for the effects of globalization. My point is this, the platform is not at fault.
Terrorism is only scary to people who shouldn't have been let past the third grade. Even irrational people understand their risk of death by terrorism is pretty much nil, compared to say their risk of horrible death involving decapitation and other hilarious ends while driving.
"Cybersecurity", though?
Computers are strange, wondrous magic boxes for the vast majority of the population. Even for the supposed tech whiz 'next generation'. Oh, sure, kids these days understand Twitter. They sure as hell don't understand TCP/IP. What better platform, then, to force Americans to do what we do best? Wet our pants in baseless fear and beg our government to strip us of our freedom.
OH NOES OSAMA IS WHISTLIN' INTO A PHONE AND LAUNCHING NOOKS FROM SATELLITES! :O SAVE ME, GOVERNMENT!
*sigh*
It looks like the internet has come full circle. It started as a military project, became a public utility, and now the government wants to militarize it again.
Maybe he said "nuclear due process" and the interviewer mistakenly wrote down "nuclear deterrence." He'd certainly never advocate destroying a US Citizen's computer without any due process! That would be just wrong! Chertoff's a former Assistant U.S. Attorney! I'm sure he respects the Constitution and would never advocate something so awful.
Destroying the countries where attacks originate is a broken doctrine, IMO. Use of force should always be measured, and focused, lest history revile us. The ease of false flag operations in "cyberspace" make the nature of our responses to attacks even more important. I would dismiss Chertoff out of hand were it not for the possibility that, rather than harmless BS, talk like this may encourage a doctrine that will allow our government to start wars and engage in various intrigues, to evil ends. Chertoff co-birthed the anti-Christ fetus disingenuously called the "USA PATRIOT" act, so we should tell him to take his "overwhelming force" and sell crazy some place else. We seem to be stocked up already.
This is great news for our foreign adversaries. Now all they have to do is compromise one server in a country that they want to target, and then use that as a proxy to launch a cyber attack on the US. In fact, they don't even really have to compromise one. They just find an open proxy server. For bonus points, find an open proxy server that belongs to a hospital or whatever.
If they are very lazy, they could just launch a distributed denial of service attack and spoof the source address of their target country.
Now, excuse me while I go disassemble my car so I can get the tracking device and put iton my victim^h^h^h^h^h^hfriend's car...
I propose ignoring Chertoff.
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
"If you have a persistent series of attacks on critical national infrastructure, then you could make the argument that incapacitating the platform used to attack is something that you have to do"
So just as an example .. if a foreign government was to take down say, a nuclear power plant, using a large network of bots built on a group of zero day flaws in Windows.. it would be justified for the government to retaliate by destroying that network of bot infested computers. Something like corrupting all of the hard disks so that the operating systems weren't able to support the bot net any longer?
While a dedicated, 'securer', privacy free parallel internet would not be invulnerable, it might reach a balance between security and cost. A police state parallel internet would be a good thing for the more secure stuff that needs to communicate.
No big surprise.
Chertoff was the head of DHS who hired Stasi officers - like Markus Wolf - to design plans fro a mandatory ID programme, like that used to control freedom of movement in the former East Germany.
"Chertoff is credited with authoring the Patriot Act, the 300-plus page blueprint for the modern National Security State; patterned to great extent on the successes of the KGB in the Soviet system. He's admired among his Bush cadres for making sure that government surveillance operates at maximum efficiency. Under his stewardship at the Dept of Justice, the 4th amendment has withered like summer grass. The long-held belief that citizens, have a right to a "reasonable expectation of privacy" has buckled under the demands of
"Big Brother" and the new "intrusive" security paradigm."
And: "Chertoff's record of failure at Justice is second only to that of Ashcroft. His 4 year tenure hasn't produced even one identifiable success. (Check out his "obstruction of justice" in the John Walker Lindh case on Democracy Now)
Instead, his personal ineptitude and his palpable contempt for the law have only showered more disgrace on the institution of American justice. That probably explains why he's being moved up the bureaucratic dog-pile to the top rung of Homeland Security. In Bush-world "failing upwards" is more commonplace than cowboy boots at a Crawford tent-show."
Falliing Upwards: The Rise of Michael Chertoff
Before this? He was an Assistant Attorney General - who enabled Chiquita to escape prosecution for hiring private, right-wing death squads - to suppress fair-trade practices from emerging in the banana plantations of Colombia.
"Chiquita, [company officials told Chertoff], would have to pull out of the country if it could not continue to pay the violent right-wing group to secure its Colombian banana plantations. Chertoff...affirmed that the payments were illegal but said to wait for more feedback, according to five sources familiar with the meeting...Sources close to Chiquita say that Chertoff never did get back to the company or its lawyers. Neither did Larry D. Thompson, the deputy attorney general, whom Chiquita officials sought out after Chertoff left his job for a federal judgeship in June 2003. And Chiquita kept making payments for nearly another year."
Chertoff, Chiquita and Death Squads
Now, this Mossad-tool wants to escalate the idea - absurd to those with a deep, functional knowledge of IP switched networking - of Cyber Cold War.
This is another part of the steady drumbeat to get a CCOIA type law passed - so the US gets its own "Great Firewall of China".
Chertoff DOES have a real enemy that he wants to damage in his cyberwar: the enemy is YOU.
"Flyin' in just a sweet place,
Never been known to fail..."
... because when I saw TF title I wondered why the hell Melanie Chertoff would even have an opinion on the subject.
" just take punitive action against the platform being used to attack, says Chertoff."
So, he's now advocating that the military should actively target Windows systems? 2011, The Year of the Linux Desktop! Who'd a thunk it?
In other shock news today the American military-industrial complex suggested that the world become more paranoid and adversarial.
as it's good for 'business'. then, as always, demand more applause/adulation/fear from the woundead, innocent bystanders, & the rest of US (hurrying up to be your) hostages, i mean supporters.
get ready to meet baal. 1000 channels, only one 'program' (the hate/fear/selfishness primer) on 24/7/365.
his (rand(r)oidian) position is; the bugwear works just fine, kill off the other crooks, & i'll be ok again. here's some more money. did you see our new phone? you can listen in on/track anybody we can coerce into using one. talk about cool, innovative, foolproof. just sign here (again).
It's unusual to see open disagreement between such statements, which are usually carefully orchestrated; I wonder whether it reflects an underlying conflict between DHS and the new Cyber Command, with GCHQ siding with Cyber Command?
Chertoff was behind the preposterous program on CNN where a collection of lawyers sat around trying to play techies on TV. Most of them were probably technology challenged, and they focused on legal nonsense to deal with a weird technical scenario (a malicious cell phone app goes wild and shuts down the power grid).
His crazy ideas led to the proposal to shut down the Internet in the event of national emergency.
When he was in office he was behind a stunt where a cybersecurity attack was assumed and a piece of equipment was misused and rigged to tear itself apart -- on TV -- by doing something that has been known for decades to be a no-no.
The only value of Chertoff's nonsense is publicity for the issue. Everything beyond that is idiocy.
Cybersecurity is clearly a serious concern and work needs to be done to improve it for critical infrastructure. But off-the-wall ideas coming from Chertoff are not the way to move forward. Instead, we should have people who know what they are doing lead the effort.
Michael Chertoff needs a good lesson in the Internet or some hacker somewhere is going to cream his (or her) pants if this gets implemented.
So, let's say I'm a hacker under the employ of country X. Let's also suppose that country X hates country Y. So, I (through hacking or espionage) get control of some servers in country Y, and stage an attack from there into the U.S.A. The American government then proceeds to launch a massive attack against country Y, crippling its Internet infrastructure. Motherland X then takes advantage of the chaos caused by loss of Internet services in the country to attack, possibly aided by U.S. forces (who are of course ignorant that country X was the original source of the attack [we're also assuming I'm good at covering my tracks]).
So, country X just provoked U.S. military response against an innocent country Y for our own purposes. Yeah, totally a good idea, and totally not a predictable strategy that's useful for getting rid of enemies.
This could be made more sinister, too. Let's say I'm from country X, and there's a server in country Y that hosts a few bloggers unfriendly to X's regime...
No, really look at this:
http://csrc.nist.gov/publications/history/myer80.pdf
I had a fellow Researcher send this to me this morning - it blows the lid off of what I've been speaking (LOUDLY) and writing about for years - here and other places, basically Subversionhack:
http://subversionhack.livejournal.com/
https://tagmeme.com/subhack/a/
^ 2nd site has Certificate Expiration problem ^
Chertoff article:
"Chertoff told ZDNet UK at the conference that cyberattacks on critical national infrastructure could put thousands of people at risk. "I can envision attacks with catastrophic consequences, with serious loss of life," said Chertoff. "If someone took down an air-traffic control system, we would have devastating loss of life."
"Cold War" is a bit extreme, Red Teams would be a better response.
When you have a hack within the truly elite league such as (the) Subversion(hack) you really need to envision the possibilities of a thousand little fires all within the confines of your neighborhood - honestly.
This NAVY paper of 1980 should get you up to speed.
If you have a Slashdot account, review my post on this and things will become a bit more clear.
The first of my links should give you a good over all.
~hylas
Cyber this, cyber that, who the fuck is even using cybernetics?
This, previously mentioned fellow Researcher is on a hot trail - an update:
The paper was re-done in 2001.
http://www.dtic.mil/cgi-bin/GetTRDoc?Location=U2&doc=GetTRDoc.pdf&AD=ADA417629
Now, from a completely different team Researcher, same trail:
Another paper on that same line from the Navel Post Graduate School.
It makes reference to the Myers' thesis.
"A Demonstration of the Subversion Threat" by Emory A. Anderson
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.149.5898&rep=rep1&type=pdf
If you'd like to help, or know more (serious research only please):
hylas(a+)operamail(d0t)com
Me?
I got nothing.
(lately) ;-)
I'm still reading the paper.
As far as Chertoff, a Cold War means nothing when you're fighting Ghosts (and your own Computer).
~hylas